In Brazil, where credit cards are one of the main forms of payment and digital data has a value comparable to that of cash, the risks of online fraud are becoming increasingly present, requiring extra attention from consumers and companies.
To get an idea of the scale of the problem, four out of ten Brazilians have already been victims of scams and financial frauds in the country, which represents 42% of Brazilians. The data is from the "Digital Identity and Fraud Report 2024," a survey conducted by Serasa Experian.
Another study, now by the National Confederation of Store Managers (CNDL) and the Credit Protection Service (SPC Brasil), in partnership with Sebrae, shows that about 8.4 million consumers reported frauds in financial institutions in the last 12 months. Among the scams, credit and debit card cloning is the main type of fraud.
Although approximately 70% of Brazilians have three or more cards, according to Serasa, the risk perception is still low. About 69% of Brazilians still underestimate the danger of registering financial data on websites and apps, leaving a large portion of the population exposed to digital scams and cyberattacks.
Amid the growing alert about digital security, good news emerges: new initiatives and technological advances are making the online environment safer every day.
Recently, the PCI Security Standards Council (PCI SSC) proposed new guidelines for the ongoing development and improvement of security standards, applicable to companies that store, process, or transmit payment data, as well as to software developers and manufacturers of devices used in transactions. The PCI is a global organization that brings together the main players in the payments industry to promote the use of resources for secure transactions.
“As threats and technology evolve, PCI DSS standards are also updated. Therefore, it is necessary to be aware of new requirements now and make the necessary adjustments,” warns Wagner Elias, CEO of Conviso, a developer of application security solutions.
Among the updates are those of the Payment Card Industry Data Security Standard (PCI DSS), created to protect the entire payment value chain. Your compliance requirements cover everything from storing cardholder data to securing access to sensitive payment information.
“In short, it is necessary to reinforce the protection of customer data, implementing additional measures to prevent unauthorized access,” says the expert.
Thus, companies will need to adapt and invest in new technologies. To give an idea, some of these solutions are capable of providing a comprehensive view of the risks associated with each application. "These tools integrate different systems, centralizing information and assisting in prioritizing actions, all in a continuous manner," explains the CEO of Conviso about their Conviso Platform Application Security Posture Management (ASPM), launched in 2010.
However, the specialist highlights that many companies still adopt a reactive stance regarding their system security, only prioritizing the issue after suffering an attack. This behavior, according to him, is concerning because security breaches can lead to significant financial losses and irreparable damage to the organization's reputation, which could be avoided with preventive measures.
For him, when considering the creation of new software, it is essential that the company incorporate security at every stage of the development cycle, from requirements gathering (the first phase that analyzes what the app will do) to deployment (production and final delivery).
“To avoid these risks, the key is to adopt Application Security practices from the beginning of the development of the new application. This ensures that protective measures are implemented at all stages of the software life cycle. In addition to being significantly more cost-effective than remediating damage after an incident, investing in preventive security is much more effective. This allows you to prevent attacks, protect sensitive data, ensure compliance with legislation and guidelines, and ensure that the application is safe and reliable for users from the start,” says the expert.
Wagner explains that the company develops solutions that integrate security into DevOps, allowing each line of code to be developed with protective practices, as well as services such as penetration testing and vulnerability mitigation. "Conducting continuous security and test automation analyses allows companies to meet standards without compromising efficiency," highlights Wagner.
In addition to implementing robust technologies, the CEO of Conviso emphasizes the importance of specialized consulting firms, which help companies adapt to the requirements of PCI DSS 4.0 and other regulations. Offensive services such as Penetration Testing, Red Team, and third-party security assessments promote a proactive and comprehensive security approach, identifying and fixing vulnerabilities before they can be exploited.
Investments must accelerate
This transformation in digital security not only reinforces consumer trust in a secure online environment but also accompanies the rapid growth of the application security market, which is expected to expand from $11.62 billion in 2024 to $25.92 billion by 2029, according to Mordor Intelligence. "Implementing cutting-edge technology marks a turning point in digital protection and reinforces trust in a market that depends, more than ever, on security to thrive," concludes Wagner.
Check out the list of 12 PCI DSS requirements that the 4.0 compliance check must meet:
- Install and maintain a firewall
- Delete vendor default configuration
- Protect stored cardholder data
- Encrypt the transmission of payment data
- Regularly update your antivirus software
- Deploy secure systems and applications
- Restrict access to cardholder data as needed
- Assign user access ID
- Restrict physical access to data
- Track and monitor network access
- Continuously test processes and systems for vulnerabilities
- Create and maintain an infosec policy
The implementation of PCI DSS 4.0 guidelines is being done in two phases:
- The first phase, with 13 new requirements, had a deadline of March 31, 2024.
- The second phase, with 51 additional requirements, must be implemented by March 31, 2025.
